Sicurezza delle reti informatiche con il Pentest e il Vulnerability assessment Giacomo Lanzi

Computer network security: PT vs. VA

The security of computer networks is of vital importance for a company. With technologies increasingly relying on remote services, it is good to ensure that security is guaranteed. To do this, two tools are used: Vulnerability Assessment and Penetration Test. But what is the difference between them? The answer to this question is not as obvious as one might think.

The short answer is: a Pentest (PT) may be a form of vulnerability assessment (VA), but a vulnerability assessment is definitely not a Pentest. Let’s try to better understand how they work and their purposes.

Verification of the security of computer networks: Vulnerability Assessment

A vulnerability assessment is the process of running automated tools against defined IP addresses to identify vulnerabilities in the environment in which one operates. Vulnerabilities typically include unprotected or misconfigured systems. The tools used to perform vulnerability scans are specific software that automates the process. Obviously these software are practically useless without an operator who knows how to use them correctly.

These tools provide an easy way to scan for vulnerabilities and there are both open source and proprietary ones. The main advantage of the open-source ones is that, with great probability, they are the same ones used by hackers, they are unlikely to pay an expensive subscription, when they can download open source applications for free.

In practice, a VA allows you to:

identify and classify security holes in the computer network
understand the cyber threats to which the company is exposed
recommend corrective measures to eliminate the weaknesses found

The purpose of a Vulnerability Assessment is to identify known vulnerabilities so that they can be corrected. Scans are typically done at least quarterly, although many experts recommend monthly scans.

How to perform a VA

Il processo di esecuzione si divide in due fasi e non prevede lo sfruttamento delle debolezze riscontrate. Questo ulteriore passaggio e’ invece previsto nel Penetration Test.

Fase 1: prima analisi
durante questa fase vengono raccolte tutte le informazioni disponibili sull’obiettivo per determinare quali potrebbero essere i punti deboli e le falle nel sistema di sicurezza delle reti informatiche
Fase 2: seconda analisi
in questa fase, tramite l’uso delle informazioni ricavate, vengono messe alla prova i possibili problemi. In questa fase le vulnerabilita’ sono testate per capire se siano effettivi problemi come supposto precedentemente.

Data l’incredibile velocita’ in cui le tecnologie e le tecniche informatiche si evolvono, e’ possibile che un sistema si mostri sicuro questo mese, ma abbia invece delle criticita’ da risolvere il mese successivo. Per questo e’ consigliato ripetere regolarmente e con frequenza i controlli di sicurezza sulle reti informatiche aziendali.

 

The execution process is divided into two phases and does not involve exploiting the weaknesses found. This further step is instead foreseen in the Penetration Test.

Phase 1: first analysis
during this phase, all the information available on the objective is collected to determine what could be the weak points and gaps in the security system of computer networks
Phase 2: second analysis
in this phase, through the use of the information obtained, possible problems are put to the test. In this phase the vulnerabilities are tested to understand if they are actual problems as previously assumed.
Given the incredible speed at which computer technologies and techniques evolve, it is possible that a system will prove secure this month, but instead have some problems to solve the following month. For this reason, it is advisable to repeat the security checks on company computer networks regularly and frequently.

Results

At the end of the process of verifying the vulnerabilities of a system, the final reports contain all the results collected. Typically these enclose all relevant information, including:

the list of vulnerabilities found
an in-depth description of the vulnerabilities
countermeasures to be adopted to reduce risks

Verification of vulnerabilities is a fundamental procedure for the company, but it does not guarantee the security of computer networks. For the correct maintenance of the security of your systems, it is also essential to use another tool: the Penetration Test.

Penetration test

The Pentest, or penetration test, is aimed at verifying how the vulnerabilities of a system can be exploited to gain access and move within it. One of the initial steps performed by a pentester is scanning the network to find IP addresses, device type, operating systems and possible system vulnerabilities. But unlike the Vulnerability Assessment, the Pentest doesn’t stop there.

Of crucial importance for a tester is the exploit of identified vulnerabilities in order to gain control of the network or to take possession of sensitive data. The tester uses configurable automated tools to perform exploits against computer network systems. The peculiar part, however, occurs when the tester performs manual exploit attempts, just like a hacker would.

Classification

Penetration tests are classified in two ways: gray box or black box.

Gray box tests are performed with full knowledge of the target company’s IT department. Information is shared with the tester, such as network diagrams, IP addresses, and system configurations. The approach of this method is the verification of the safety of the present technology.

A black box test, on the other hand, represents more properly the action of a hacker who tries to gain unauthorized access to a system. The IT department knows nothing about the test being performed and the tester is not provided with information about the target environment. The black box method evaluates both the underlying technology and the people and processes involved to identify and block an attack as it would happen in the real world.

Phases of the Pentest

Phase 1: Analysis
The system is analyzed, studying its strengths and weaknesses. All preliminary information is collected. This, of course, does not happen if it is a gray box pentest.
Phase 2: Scan
The entire infrastructure is scanned to find the weak points to focus on.
Phase 3: Planning
Thanks to the information gathered, we plan with which tools and techniques to use to hit the system. The possibilities are many and they are both purely technological and social engineering techniques.
Phase 4: actual attack
In this phase the testers try to exploit the identified vulnerabilities to gain full control of the targeted system.

Report

At the end of the Penetration Test, a report is also compiled that details the entire process carried out and includes:

evaluation of the impact of a real attack on the company
solutions to solve problems and secure computer network systems

A Penetration Test that is not successful is a sign that the system under examination is safe * and the data inside it does not risk anything. However, this does not mean that the company will be protected forever from any attack: precisely because the strategies of hackers constantly evolve, it is important to carry out Penetration Tests regularly.

(*) It should be noted, however, that although a good Penetration Test follows guidelines or structuring methodologies (i.e. OWASP) it remains a test with a strong subjective impact of the Penetration Tester and of the team that performed it, therefore it cannot be excluded that by repeating the tests carried out by a different group of Penetration Tester we have no new results. Furthermore, as is well known to our readers, in the field of Cyber ​​Security the concept of “safe” in absolute terms is inadequate.

How to do

Although Vulnerability Assessments and Penetration Tests have different objectives, both should be performed regularly to verify the overall security of the information system.

Vulnerability assessment should be done often to identify and fix known vulnerabilities. The Pentest should be carried out at least once a year and certainly after significant changes in the IT environment, to identify possible exploitable vulnerabilities that may allow unauthorized access to the system. Both of the services described in this article are available through SOD, even on a recursive basis to ensure test effectiveness. contact us to find out more.

[btnsx id=”2931″]

Useful links:

Security: pentest and verification of vulnerabilities

Vulnerability Assessment & Penetration Test

 

 

 

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Disclosing Vulnerability of CLink Office 2.0 May 23, 2022
    Posted by chan chan on May 23Dear Sir/Madam, I would like to submit a vulnerability found on CLink Office 2.0. I had contacted the vendor 60 days before but in vain. # Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console # Date: 30 Mar 2022 # Exploit Author: […]
  • [tool] tplink backup decryptor. May 23, 2022
    Posted by retset on May 23Yet another "tool" to decrypt a backup configs for some tplink wifi routers. Only tested on latest fw for "Archer C7". I hope that it will be useful for someone. https://github.com/ret5et/tplink_backup_decrypt_2022.bin
  • SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components) May 18, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 18SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes...
  • PHPIPAM 1.4.4 - CVE-2021-46426 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-03/2022 ]========================== PHPIPAM - Version 1.4.4 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents ]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability […]
  • LiquidFiles - 3.4.15 - Stored XSS - CVE-2021-30140 May 18, 2022
    Posted by Rodolfo Augusto do Nascimento Tavares via Fulldisclosure on May 18=====[ Tempest Security Intelligence - ADV-12/2021 ]========================== LiquidFiles - 3.4.15 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability...
  • Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! May 18, 2022
    Posted by malvuln on May 18Watch multiple LockBit Ransom get DESTROYED Mass PWNAGE at scale! https://www.youtube.com/watch?v=eg3l8a_HSSU
  • github.com/malvuln/RansomDLLs / Catalog of current DLLs affecting vulnerable Ransomware strains. May 18, 2022
    Posted by malvuln on May 18Reference list for my Ransomware exploitation research. Lists current DLLs I have seen to date that some ransomware search for, which I have used successfully to hijack and intercept vulnerable strains executing arbitrary code pre-encryption. https://github.com/malvuln/RansomDLLs
  • APPLE-SA-2022-05-16-2 macOS Monterey 12.4 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-2 macOS Monterey 12.4 macOS Monterey 12.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213257. AMD Available for: macOS Monterey Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed […]
  • APPLE-SA-2022-05-16-6 tvOS 15.5 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-6 tvOS 15.5 tvOS 15.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213254. AppleAVD Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel […]
  • APPLE-SA-2022-05-16-5 watchOS 8.6 May 17, 2022
    Posted by Apple Product Security via Fulldisclosure on May 16APPLE-SA-2022-05-16-5 watchOS 8.6 watchOS 8.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213253. AppleAVD Available for: Apple Watch Series 3 and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free […]

Customers

Newsletter